{ "id": "d689b2b6-34dc-4ddf-8bf6-b9b97094e7d7", "created_at": "2026-04-06T00:14:48.37937Z", "updated_at": "2026-04-10T13:12:53.51221Z", "deleted_at": null, "sha1_hash": "ca9e79099adf463a4d9d31c0cc20515303bdd9c0", "title": "What the LockBit 4.0 Leak Reveals About RaaS Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1537574, "plain_text": "What the LockBit 4.0 Leak Reveals About RaaS Groups\r\nBy Michele Campobasso\r\nPublished: 2025-08-13 · Archived: 2026-04-05 18:05:23 UTC\r\nMichele Campobasso,Senior Security Researcher, Vedere Labs, Forescout Technologies\r\nAugust 13, 2025\r\n4 Min Read\r\nSource: ANP via Alamy Stock Photo\r\nCOMMENTARY\r\nFor years, LockBit has been viewed as the gold standard in ransomware — a sleek, professional, and ruthlessly\r\nefficient criminal syndicate with the polish of a Silicon Valley startup. \r\nBut the recent leak of LockBit's 4.0 affiliate panel shattered that illusion, exposing a chaotic, backbiting, and\r\nwildly inconsistent operation behind the scenes. If you've been picturing ransomware groups as disciplined digital\r\ncriminal organizations, this leak made one thing clear: The real threat is far more fragmented and unpredictable\r\nbecause of it. \r\nThe leak, which occurred in May and included thousands of chats between LockBit affiliates and their victims,\r\nuncovered that the ransomware ecosystem remains opportunistic and disorganized. Affiliates ignored victims,\r\nhttps://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups\r\nPage 1 of 4\n\ndelivered broken decryption tools, dodged payments to their own platform, and even attacked prohibited targets,\r\nincluding Russian state entities.\r\nRelated:Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles\r\nThe Leak That Spilled the Truth: Inside LockBit 4.0\r\nOn May 7, LockBit's 4.0 affiliate panel was compromised and replaced with a link to a data dump containing\r\nmore than 4,000 chat messages, thousands of ransomware builds, internal user tags, and cryptowallet data. After\r\nConti leaks in February 2022 shedding light on the ransomware gang operations, what followed was an\r\nunprecedented behind-the-scenes look at how ransomware-as-a-service (RaaS) operations function behind closed\r\ndoors.\r\nThe leak revealed that much of the affiliate ransomware ecosystem remains opportunistic and disorganized.\r\nAffiliates operate with little oversight, and their professionalism varies widely. Some negotiate payments with care\r\nand follow through on decryption, while others vanish the moment a ransom is paid. In one exchange, an affiliate\r\nblamed corrupted files on antivirus software and told a victim to wait for the correct decryption tool because \"the\r\nboss is very busy.\" This continued until the affiliate eventually stopped replying.\r\nEven the supposed rules of the LockBit platform were ignored by affiliates. LockBit rules state that affiliates\r\nshould not target Russian organizations, but in February, two Russian government entities were hit. To contain the\r\nfallout, LockBit administrators took over and offered free decryptors to save face. The affiliate responsible for the\r\nattack was suspended and tagged \"ru target.\"\r\nEven the economics of the operation were unclear. Of the 159 Bitcoin wallets tied to extortion attempts, only 19\r\nreceived funds. Some affiliates may have negotiated outside LockBit's platform to avoid giving into the platform's\r\n20% cut. One affiliate extorted more than $2 million from a Swiss cloud provider. Most, however, walked away\r\nwith nothing.\r\nRelated:Critical Flaw in Langflow AI Platform Under Attack\r\nWhy This Chaos Makes Ransomware Harder to Stop\r\nIt's tempting to think that disorganization makes these groups less dangerous. In reality, the opposite is true. The\r\nchaos is what makes them harder to defend against. \r\nWithout consistent structure or standards, it's harder to come up with a predictable playbook that allows defenders\r\nto prepare at their best. One affiliate may offer support and honor payment agreements, while another might\r\ndisappear after collecting ransom. That unpredictability complicates incident response planning and erodes what\r\nlittle perceived value there is in paying a ransom.\r\nThere is also no guarantee that stolen data will be destroyed or kept secret. Data from breaches can surface months\r\nlater, exposing an organization's private negotiations or security failings even after they believed the crisis has\r\nbeen contained.\r\nhttps://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups\r\nPage 2 of 4\n\nSurprisingly, this case shows that the affiliate model incentivizes recklessness. Although brand reputation is key\r\nfor a successful RaaS enterprise, apart from glaring examples of rules infringement, we found no affiliate\r\nrepercussions on terms of service breaching, which in turn may make actors confident in taking bigger risks,\r\ndemanding more money and moving on with minimal or no consequences. We speculate that this may hold true\r\nfor other RaaS ventures. \r\nRelated:Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw\r\nThe only rational defense isn't negotiation; it's preparation. That means segmenting networks, monitoring for\r\nlateral movement, implementing multifactor authentication and patching known vulnerabilities. It also means\r\nrehearsing incident response with the assumption that help will not come even after a ransom is paid.\r\nThe Future of RaaS: More Mayhem for the Unprepared\r\nUndoubtedly, the LockBit leak will not be the last. As pressure from law enforcement agencies continues to\r\nincrease and financial incentives wane, it's likely organizations will see more infighting within ransomware groups\r\n(as suspected by the very same LockBit admins), giving security researchers invaluable real-world data.\r\nThis infighting will likely lead to fewer brand-name groups collecting heterogeneous actors operating in short\r\nbursts. Attribution will get harder, threat intelligence will get murkier, and the RaaS landscape will resemble less\r\nof a corporate hierarchy and more of a crowded and unstable atmosphere.\r\nToo often, defenses become oriented around names — Conti, LockBit, BlackCat — as if fighting a brand means\r\nunderstanding the underlying threat. But these names are disposable identities, built for plausible deniability,\r\ntechnological convenience, and short-term gain. Clinging to them offers a false sense of clarity.\r\nThe LockBit 4.0 leak serves as a wake-up call: The ransomware threat isn't (anymore?) too organized, centralized,\r\nor consistent. It's fragmented, opportunistic, and growing more chaotic by the day. Being prepared is the\r\ncornerstone of a successful defense: those who aren't are going to face uncertainty caused by the lack of attackers'\r\naccountability.\r\nBut there's hope: Less accountability means less successful RaaS brands, which will result in a reduced set of\r\ntechnical TTPs to inform network defenses; researchers studying negotiation tactics can provide signals to assess\r\nthe reliability of a threat actor, regardless of their brand, to minimize losses; and finally, the growing awareness of\r\nthis threat, combined with a more disorganized ecosystem, could make their business unprofitable. Until their next\r\nmove.\r\nAbout the Author\r\nhttps://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups\r\nPage 3 of 4\n\nSenior Security Researcher, Vedere Labs, Forescout Technologies\r\nMichele Campobasso is a senior security researcher at Vedere Labs’ Forescout Technologies. He holds a PhD in\r\nCybercrime Ecosystems obtained at Eindhoven University of Technology. In his work, he integrates concepts\r\nfrom economics and criminology to characterize cybercriminal marketplaces fostering innovation and enabling\r\nattacks at scale to identify those posing more damaging real-world threats. Part of his research has been\r\ninstrumental in the law enforcement operation “Cookie Monster” against Genesis Market, led by EUROPOL, the\r\nDutch National Police, and the FBI. He contributed to a white paper on access-as-a-service, presented to the US\r\nDepartment of Commerce, which led to the NSO Group to be included as a company threatening US national\r\nsecurity. His research has received large media and industry attention (Intel471, Troy Hunt, Recorded Future,\r\nnational media), and has been invited in industrial and scientific symposia as a speaker.\r\nSource: https://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups\r\nhttps://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups" ], "report_names": [ "what-lockbit-leak-reveals-raas-groups" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca9e79099adf463a4d9d31c0cc20515303bdd9c0.pdf", "text": "https://archive.orkl.eu/ca9e79099adf463a4d9d31c0cc20515303bdd9c0.txt", "img": "https://archive.orkl.eu/ca9e79099adf463a4d9d31c0cc20515303bdd9c0.jpg" } }